Skip to content
K8SaaS

Protect your endpoint

OIDC support

Section titled “OIDC support”

OIDC is supported through Keycloak. Follow these steps to configure a Keycloak Client.

Read the Keycloak client configuration guide to learn more.

Proxy - No OIDC Support

Section titled “Proxy - No OIDC Support”

To secure your endpoints, you need to configure the appropriate annotations in your Ingress configuration.

The third annotation, nginx.ingress.kubernetes.io/configuration-snippet, is optional and enables the addition of a logout button. Note that the app subdomain must be changed in its code to match the ingress subdomain.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-url: http://oauth2-proxy.k8saas-system.svc.cluster.local/oauth2/auth
    nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy.ref+file://config.yaml#/ingress/domainName+/oauth2/sign_in
    # Optional: Inject a logout button
    nginx.ingress.kubernetes.io/configuration-snippet: |
      proxy_set_header Accept-Encoding ""; # The http_sub_module doesn't support compression from the ingress to the backend application
      sub_filter "</body>" "<script>(function(){document.addEventListener('DOMContentLoaded',function(){document.body.insertAdjacentHTML('beforeend','<a href=\"https://oauth2-proxy.ref+file://config.yaml#/ingress/domainName+/oauth2/sign_out?rd=https://sampleapp.ref+file://config.yaml#/ingress/domainName+\" style=\"position:fixed;bottom:10px;right:10px;background-color:#f44336;color:white;padding:5px;border-radius:3px;text-decoration:none;font-family:sans-serif;\">Logout</a>')})})()</script></body>";
  ...
spec:
  ...

Certificate validation

Section titled “Certificate validation”

If you ever encounter the x509 certificate signed by unknown authority error, make sure to populate the K8SaaS CA using ca-injector annotation to your application pod:

microcumul.us/injectssl: k8saas-bundle

Use your own CA

Section titled “Use your own CA”

If needed, you can update the K8SaaS trust-manager Bundle to populate your own CA to your applications.

apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
  name: k8saas-bundle
spec:
  sources:
  - useDefaultCAs: true
  - secret:
      name: k8saas-ca-root
      key: ca.crt
  # Add your own CA
  - secret:
      name: own-ca
      key: own-ca.crt
  target:
    secret:
      key: ca.crt

Validate integration

Section titled “Validate integration”

By navigating to your application, you should be redirected to your OAuth provider. This redirection means your OAuth implementation is working.